You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

103 lines
5.1 KiB

7 months ago
# Version 9.2.2.20240415
[DeploymentServerClients]
search = | tstats count where index=_dsclient `filter_by_client_id("$clientId$")` by \
data.build data.clientId data.connectionId data.dns data.guid data.hostname data.instanceId \
data.instanceName data.ip data.mgmt data.name data.package data.packageType data.splunkVersion data.utsname datetime \
| rename data.* as * \
| dedup clientId sortby -datetime\
| join clientId type=inner max=1 [ \
| search index=_dsphonehome earliest=$reloadTime$ `filter_by_client_id("$clientId$")` \
| rename data.* as * \
| search `filter_by_phonehome($minPhoneHomeTime$)` \
| dedup 4 clientId \
| stats list(lastPhoneHomeTime) as lastPhoneHomeTime latest(_time) as _time by clientId \
| mvexpand lastPhoneHomeTime limit=4 \
| delta lastPhoneHomeTime as phoneHomeInterval \
| eval phoneHomeInterval = if (phoneHomeInterval < 0, 0 - phoneHomeInterval, null) \
| stats latest(lastPhoneHomeTime) as lastPhoneHomeTime latest(updaterRunning) as updaterRunning avg(phoneHomeInterval) as averagePhoneHomeInterval by clientId \
| eval actual_ratio=(now() - lastPhoneHomeTime) / averagePhoneHomeInterval \
| search `filter_by_ratio("$greater_than$", $ratio$)` \
| dedup clientId \
] \
| join clientId type=left max=0 [ \
| search index=_dsappevent earliest=$reloadTime$ `filter_by_client_id("$clientId$")` \
| rename data.* as * \
| dedup key \
| search `filter_by_app("$appName$")` `filter_by_serverclasses("$serverClassNames$")` \
`filter_by_action("$action$")` `filter_by_checksum($checksum$)` `filter_by_error("$has_error$")` \
| stats list(appName) as appName list(serverClassName) as serverClassName \
list(action) as action list(result) as result list(failedReason) as failedReason \
list(checksum) as checksum list(timestamp) as timestamp count(appName) as countApps by clientId \
| eval appName=mvjoin(appName, "#") \
| eval serverClassName=mvjoin(serverClassName, "#") \
| eval action=mvjoin(action, "#") \
| eval result=mvjoin(result, "#") \
| eval failedReason=mvjoin(failedReason, "#") \
| eval checksum=mvjoin(checksum, "#") \
| eval timestamp=mvjoin(timestamp, "#") \
] \
| eval appName=split(appName, "#") \
| eval serverClassName=split(serverClassName, "#") \
| eval action=split(action, "#") \
| eval result=split(result, "#") \
| eval failedReason=split(failedReason, "#") \
| eval checksum=split(checksum, "#") \
| eval timestamp=split(timestamp, "#") \
| search `filter_by_app_count("$has_app_filter$")`
[DeploymentServerClientsBasic]
search = | tstats count where index=_dsclient by \
data.build data.clientId data.connectionId data.dns data.guid data.hostname data.instanceId \
data.instanceName data.ip data.mgmt data.name data.package data.splunkVersion data.utsname datetime\
| rename data.* as * \
| dedup clientId sortby -datetime\
| join clientId type=inner max=1 [search index=_dsphonehome earliest=$reloadTime$ \
| rename data.* as * \
| dedup clientId \
| table clientId lastPhoneHomeTime \
] \
| eventstats count as total \
| head $offset_end$ \
| streamstats count as paginator \
| where paginator>$offset_start$ \
[DeploymentServerClientsByMachineType]
search = | search index=_dsclient earliest=0 | stats latest(data.utsname) as utsname by data.clientId | stats count as clients by utsname
[DeploymentServerAppEvents]
search = | search index=_dsappevent earliest=$reloadTime$ data.clientId IN ($clientIdList$) $result$\
| rename data.* as * \
| dedup key \
| stats list(appName) as appName list(serverClassName) as serverClassName \
list(action) as action list(result) as result list(failedReason) as failedReason \
list(checksum) as checksum list(timestamp) as timestamp count(appName) as countApps by clientId
[DeploymentServerRecentDownloads]
search = | search index=_dsappevent data.action!=Install earliest=$earliest$ \
| stats latest(data.result) as result latest(data.action) as action by data.clientId data.serverClassName data.appName \
| search result=Ok action=Download \
| stats count as downloads
[DeploymentServerEventsWithError]
search = | search index=_dsappevent earliest=$reloadTime$ data.result != Ok \
| rename data.* as * \
| stats latest(failedReason) as failedReason latest(action) as action latest(timestamp) as timestamp by serverClassName, appName, clientId
[DeploymentServerHasDeploymentErrorsPerAppAndServerclass]
search = | search index= _dsappevent earliest=$reloadTime$ $result$ \
$appName$ $serverClassNames$ data.action=Download OR data.action=Install \
| dedup data.clientId | stats count as clients
[DeploymentServerGetPhonehomedClients]
search = | tstats dc(data.clientId) as clients where index=_dsphonehome earliest=$earliest$
[DeploymentServerLookupClient]
search = | search index=_dsclient data.clientId = $clientId$ \
| rename data.* as * \
| head 1
[DeploymentServerGetClientsUri]
search = | search index=_dsclient | strcat "https://" data.ip ":" data.mgmt uri \
| stats latest(_time) as latesttime latest(uri) as clientUri by data.clientId

Powered by BW's shoe-string budget.